[Dshield] Hidden Process
pmarsh at nmefdn.org
Wed Jan 17 18:42:42 GMT 2007
I've got a system that is on the fritz. When ever a search is
done the resulting links redirect to random sites mostly porn sites. No
matter what search engine is used, the links look fine when you roll
over them but once they're clicked the browser is redirected. I've run
Ad-Aware and SpyBot on it and upgraded to IE7 which fires off Windows
Defender but I've got the same problem. The system was running an up to
date PC-Cillin 2006 which has now been upgraded to 2007. PC-Cillin 2007
is capturing the following malicious proxy http:// 85 dot 255 dot 114
When I first took a look at the system in question I noticed
that it's DNS was changed to two servers in the same sub as above.
FireFox runs without issues.
I ran F-Secure's Black Light on the box and found the following.
01/17/07 08:59:59 [Info]: BlackLight Engine 1.0.55 initialized
01/17/07 08:59:59 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/17/07 09:00:00 [Note]: 7019 4
01/17/07 09:00:00 [Note]: 7005 0
01/17/07 09:01:02 [Note]: 7006 0
01/17/07 09:01:17 [Note]: 7011 3244
01/17/07 09:01:17 [Note]: 7026 0
01/17/07 09:01:18 [Note]: 7026 0
01/17/07 09:01:26 [Note]: FSRAW library version 1.7.1021
01/17/07 09:07:42 [Info]: Hidden file: c:\WINDOWS\system32\kdnjh.exe
01/17/07 09:07:42 [Note]: 7002 32
01/17/07 09:07:42 [Note]: 7003 1
01/17/07 09:07:42 [Note]: 10002 1
01/17/07 09:08:20 [Note]: 2000 1012
01/17/07 09:11:35 [Note]: 7007 0
I know the ultimate fix is to nuke the drive but does anyone
have any other suggestions? Any tools I could use to find the nasty and
kill it? Any ideas where the IE hook might be hiding in the reg?
The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal. Thank you.
More information about the list